Universities get schooled on DNS amplification attacks

Colleges and universities are getting a piece of advice when it comes to the growing problem of distributed denial of service attacks that exploit the Domain Name System: Don’t be a part of the problem.

The Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) recently advised its members check their network and DNS configurations to avoid becoming “an unwitting partner” in distributed DOS attacks.

DDOS attacks overall are increasing in bandwidth and duration, to the point that they are moving from being primarily a nuisance (temporarily crowding out legitimate traffic) to being a real threat (possibly blocking critical services during an emergency, for example.) And attacks exploiting DNS increased by 170 percent between 2011 and 2012.

The bar on DDOS attacks was raised again in March, when Swiss anti-spam organization Spamhaus was hit with an attack that reached 300 gigabits/sec of traffic. “To put that in context,” Doug Pearson, technical director of REN-ISAC, wrote in the advisory, “most universities and organizations connect to the Internet at 1 [gigabit/sec] or less. In this incident not only was the intended victim crippled, Internet service providers and security service providers attempting to mitigate the attack were adversely affected.”

The type of attack REN-ISAC is warning about is a DNS amplification attack, also called a DNS reflection attack. It takes advantage of publically accessible recursive DNS servers, sending requests via spoofed IP addresses that appear to be from the intended victim, according to US-CERT. Because responses typically are larger than requests, attacker amplifies the traffic aimed at the victim. When a botnet is used to send the spoofed requests, the result can be an overwhelming amount of traffic, US-CERT said.

A key phrase in that description is “publically accessible.” Colleges and universities tend to be open in their access policies, so their open recursive resolvers, authoritative DNS servers and networks aren’t configured to prevent spoofing. That leaves them open to being exploited in DDOS attacks.

“These attacks may exploit thousands of institutional DNS servers to create an avalanche of network traffic aimed at a third-party victim,” Pearson wrote. The traffic at any one university might not be big enough to notice, but many networks in a botnet can create crippling results. “Too many higher education institutions contribute to this known and avoidable problem,” he said.

REN-ISAC recommends its membership, which includes about 350 colleges and universities in the United States, Canada, Australia, New Zealand and Sweden, adopt a set of best practices to avoid the problem.

Chief among them is configuring recursive DNS resolvers (which handle queries) so they are accessible only to authorized/intended users on the organization’s network. US-CERT notes that there are free tools that will scan networks for vulnerable open DNS resolvers, such as the Open DNS Resolver Project and DNSInspect.

“It is absolutely critical all university recursive resolvers are properly configured so they only answer queries for the local users they're meant to be serving,” REN-ISAC’s advisory said.

Other recommendations include:

Use router access control lists to manage DNS traffic, directing queries from outside the enterprise only to permitted authoritative name servers.

Consider limiting the rate of responses for authoritative DNS servers, a tactic that is particularly important for zones that have been signed with DNS Security Extensions.

Separate the recursive resolver and authoritative name servers, so controls can be properly applied to each.

REN-ISAC offers other recommendations for DNS server and network configuration, which would be good advice for any public-sector organization. Government agencies, of course, got much the same advice in 2011, when the Homeland Security Department issued its DNS Security Reference Architecture. And US-CERT also offers how-to advice on mitigating DNS amplification attacks. The more public-sector agencies follow them, the more potential bots can be taken out of the game.

About the Author

Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.